From fbab2040296e4fe3981e9c5fe1c9cbc1f97123f7 Mon Sep 17 00:00:00 2001
From: "William A. Rowe Jr" <wrowe@apache.org>
Date: Tue, 22 Nov 2016 18:34:25 +0000
Subject: [PATCH] List discussion resulted in rejecting all but SP characters
 in the request line, but in the strict mode prioritize excessive space
 testing over bad space testing (which is captured later) and make both more
 efficient (at this test ll[0] is already whitespace or \0 char). Also correct
 a comment.

Backports: r1770867
Submitted by: wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1770868 13f79535-47bb-0310-9956-ffa450edef68
---
 server/protocol.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/server/protocol.c b/server/protocol.c
index 3b297bd0f11..4de48e6f883 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -680,8 +680,8 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
         len = 0;
         goto rrl_done;
     }
-    else if (strict && ll[0] && (ll[0] != ' ' || apr_isspace(ll[1]))
-                 && deferred_error == rrl_none) {
+    else if (strict && ll[0] && apr_isspace(ll[1])
+             && deferred_error == rrl_none) {
         deferred_error = rrl_excesswhitespace; 
     }
 
@@ -689,8 +689,7 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
      * If non-SP whitespace is encountered, mark as specific error
      */
     for (uri = ll; apr_isspace(*uri); ++uri) 
-        if (ap_strchr_c("\t\n\v\f\r", *uri)
-                && deferred_error == rrl_none)
+        if (*uri != ' ' && deferred_error == rrl_none)
             deferred_error = rrl_badwhitespace; 
     *ll = '\0';
 
@@ -706,14 +705,14 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
         ll = strpbrk(ll, "\t\n\v\f\r ");
     }
 
-    /* Verify method terminated with a single SP, or mark as specific error */
+    /* Verify URI terminated with a single SP, or mark as specific error */
     if (!ll) {
         r->protocol = "";
         len = 0;
         goto rrl_done;
     }
-    else if (strict && ll[0] && (ll[0] != ' ' || apr_isspace(ll[1]))
-            && deferred_error == rrl_none) {
+    else if (strict && ll[0] && apr_isspace(ll[1])
+             && deferred_error == rrl_none) {
         deferred_error = rrl_excesswhitespace; 
     }
 
@@ -721,8 +720,7 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
      * If non-SP whitespace is encountered, mark as specific error
      */
     for (r->protocol = ll; apr_isspace(*r->protocol); ++r->protocol) 
-        if (ap_strchr_c("\t\n\v\f\r", *r->protocol)
-                && deferred_error == rrl_none)
+        if (*r->protocol != ' ' && deferred_error == rrl_none)
             deferred_error = rrl_badwhitespace; 
     *ll = '\0';
 
-- 
2.47.2